For a long time it seemed hackers didn’t care about small businesses. They liked to make a splash by penetrating the defenses of major corporations and going after the deep pockets of the fat cats. Anonymity and the absence of the lure of major financial resources kept employers of less than 250 relatively safe. That is no longer the case. Here’s a statistic that should make a small business owner squirm. The security company Symantec logged 300 percent more cyberattacks in 2012 on the small business scene than the previous year. Unnerving to say the least. Add to that a June 2016 study that found more than 50 percent of small businesses were hacked in the previous 12 months. Got any guesses as to why? We do.
Low Risk, High Reward
As opposed to major corporations who dump millions of dollars into online security, most small business computer systems are relatively unprotected and easy to break into. Add to this that only about 10 percent of cyber crimes reported by a small business results in a conviction. That leaves little incentive for an owner to do little more than cross fingers, grit teeth, and go about his or her day. Much of the low cost, freely available malware and virus protection commonly used by a small business do a poor job of detecting when a clever criminal has visited, pilfered records, and disappeared. Additionally, too many owners view the cost of effective protection as prohibitive and would never even think of spending the kind of money necessary to make a difference.
No Data Security Policy
While large business concerns have entire departments dedicated to stopping cyber attacks, there’s a good chance that your average small business has one guy (or girl) to do the job in between tending to many other tasks. The lack of a comprehensive data security policy leaves the safety of anything stored on the company network at the mercy of the sloppiest employee. The lack of a formal policy guarantees an understaffed IT department (or person) feels like they’re trying to bail water in a leaky boat with a hand strainer.
The Ostrich Maneuver
Despite a general knowledge that cybersecurity is important, a typical small business owner might as well have his or her head stuck in the sand. They may say the right things in favor of protecting their company’s data but a lack of budget dedicated to implementing a managed detection and response services. They either don’t really get it, or their priorities are not in alignment with reality: even a comparatively small database full of credit cards, employee personal information, and the company’s financial data is, in fact, a worthy inducement to those with criminal intent.
An Ignorant Workforce
Even after living in the Internet Age for more than two decades, the global workforce is still woefully susceptible to even the most basic of cyber attacks. Phishing remains one of the most used and effective methods criminals use to induce company employees to divulge privileged information through the use of emails bearing fake (but very official looking) logos of mega-corporations like Bank of America or Citigroup.
Here’s a good rule of thumb. NEVER send sensitive information like credit card numbers, bank accounts, or social security numbers out in response to an email request. If you get this type of request, either pass it up to someone higher in the chain of command or give the alleged company a call to see if the request is legit. Due to the lack of a comprehensive data security policy, as we mentioned above, too many employees are not on guard to phishing.
The Bottom Line
Today’s reality is that the old ways of combating hackers are simply not effective any more. You can no longer rely on firewalls, intrusion prevention systems, or off-the-shelf antivirus programs that rely on URL blacklists and signatures. Today’s cyber criminal is way too smart for that. You need modern tactics that can detect and adapt to attacks in real time.
by: Vincent Stokes